CVE-2022-25912
Summary
| CVE | CVE-2022-25912 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2022-12-06 05:15:00 UTC |
| Updated | 2023-08-08 14:21:00 UTC |
| Description | The package simple-git before 3.15.0 are vulnerable to Remote Code Execution (RCE) when enabling the ext transport protocol, which makes it exploitable via clone() method. This vulnerability exists due to an incomplete fix of [CVE-2022-24066](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-2434306). |
Risk And Classification
Problem Types: CWE-78
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Simple-git Project | Simple-git | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Chore: bump lerna, jest and create prettier workflow (#862) · steveukx/git-js@7746480 · GitHub | CONFIRM | github.com | |
| Remote Code Execution (RCE) in org.webjars.npm:simple-git | CVE-2022-25912 | Snyk | CONFIRM | security.snyk.io | |
| N/A | CONFIRM | github.com | |
| Remote Code Execution (RCE) in simple-git | CVE-2022-25912 | Snyk | CONFIRM | security.snyk.io | |
| Release [email protected] · steveukx/git-js · GitHub | CONFIRM | github.com | |
| git-js/PLUGIN-UNSAFE-ACTIONS.md at main · steveukx/git-js · GitHub | MITRE | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
LEGACY: Sam Wheating
There are currently no legacy QID mappings associated with this CVE.